Require Image Vulnerability Scans

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-vulnerability-scan
  annotations:
    policies.kyverno.io/title: Require Image Vulnerability Scans
    policies.kyverno.io/category: Software Supply Chain Security
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.9.0
    policies.kyverno.io/minversion: 1.8.3
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: An important part of ensuring software supply chain integrity is performing periodic vulnerability scans on images. Initial scans as part of the build process is necessary, but as new vulnerabilities are discovered the scans must be refreshed. This policy ensures that images, signed with Cosign's keyless ability during a GitHub Actions workflow, have attested vulnerability scans not older than one week. This policy is expected to be customized based upon your signing strategy and applicable to the images you designate.
spec:
  validationFailureAction: Audit
  webhookTimeoutSeconds: 10
  failurePolicy: Fail
  rules:
    - name: scan-not-older-than-one-week
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - ghcr.io/myorg/myrepo:*
          attestations:
            - predicateType: cosign.sigstore.dev/attestation/vuln/v1
              attestors:
                - entries:
                    - keyless:
                        subject: https://github.com/myorg/myrepo/.github/workflows/*
                        issuer: https://token.actions.githubusercontent.com
                        rekor:
                          url: https://rekor.sigstore.dev
              conditions:
                - all:
                    - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}"
                      operator: LessThanOrEquals
                      value: 168h